Vulnerabilities > CVE-2016-8526 - XXE vulnerability in HP Airwave

047910
CVSS 4.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
hp
CWE-611
exploit available
NVD
Published: 2018-08-06
Updated: 2018-10-16

Summary

Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to an XML external entities (XXE). XXEs are a way to permit XML parsers to access storage that exist on external systems. If an unprivileged user is permitted to control the contents of XML files, XXE can be used as an attack vector. Because the XML parser has access to the local filesystem and runs with the permissions of the web server, it can access any file that is readable by the web server and copy it to an external system of the attacker's choosing. This could include files that contain passwords, which could then lead to privilege escalation.

Vulnerable Configurations

Part Description Count
Application
Hp
26

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionAruba AirWave 8.2.3 - XML External Entity Injection / Cross-Site Scripting. CVE-2016-8526,CVE-2016-8527. Webapps exploit for XML platform
fileexploits/xml/webapps/41482.txt
idEDB-ID:41482
last seen2017-03-01
modified2017-03-01
platformxml
port
published2017-03-01
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/41482/
titleAruba AirWave 8.2.3 - XML External Entity Injection / Cross-Site Scripting
typewebapps

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/141385/SA-20170301-0.txt
idPACKETSTORM:141385
last seen2017-03-02
published2017-03-01
reporterP. Morimoto
sourcehttps://packetstormsecurity.com/files/141385/Aruba-AirWave-8.2.3-XXE-Injection-Cross-Site-Scripting.html
titleAruba AirWave 8.2.3 XXE Injection / Cross Site Scripting

References